INTRODUCTIONOpen Systems Interconnection (OSI) ModelDescription of TechnologiesIPSecSSLExperiments and Testing PerformedOverhead for VPN Protocolsresults of tests performedThroughput measurementsHandshake TimeComparison of tested appliancesUser InterfaceOperating Systems IntegrationEnd-Point SecurityMaintenance OverheadApplicationsScalabilityCostMaintenance and UseSecurity AnalysisFeature comparison of Aventail 2500, Permeo Base5Feature comaprison of Check Point NG, Cisco ASA 5500Market Survey & TrendsConclusion: What is approtiate: SSL or IPSec VPNs?ECE 646 – CRYPTOGRAPHY AND COMPUTER NETWORK SECURITY 1Analysis of Enterprise VPNs Arif Basha Abstract—Throughout today’s highly global market place remote access to a network is imperative. Towards that goal, there have been many options over the years from which customers could choose. Recently two Virtual Private Network (VPN) technologies have proved to be most beneficial for enterprise customers. They are Internet Protocol Security (IPSec) and Secure Sockets Layer (SSL). SSL has evolved in recent years and has been gaining steady momentum and luring customers away from the traditional IPSec networks. This paper compares these two technologies and attempts to clarify the cloud of confusion surrounding these technologies. Index Terms—Virtual Private Networks, Internet protocol Security, Secure Sockets Layer, Wireless Networks I. INTRODUCTION TARTING with the advent of networking technologies, enterprise IT departments have had to balance two seemingly mutually exclusive mandates—open access to corporate applications and resources, and provide stronger access control and security. Hence almost all companies have some sort of remote access solutions in place so corporate network resources are convenient and available when necessary. In the early 1990’s, there were only limited options for secure remote access; with the ubiquity of the Internet and the developments in communication technologies, the use of the Internet for remote access has become an obvious choice. The public Internet was increasingly used for accessing private information, requiring increased security for these communication channels. A Virtual Private Network (VPN) can be defined as a private network constructed within a public network infrastructure. The perimeter of a network is no longer solidly defined, as remote sites are linked, across untrusted paths, and remote access is granted to vendors and business partners. Primary requirements of a VPN are to provide data confidentiality, data integrity, and data authenticity. The two main modes of this access are categorized as remote/branch office—requiring an always on “on-the-LAN” experience—and remote/mobile employees. IT departments are now being forced to increase access to information for remote employees and business partners to maintain a competitive advantage. These implementations should be secure, have strong authentication and access control mechanisms, integrate within the existing enterprise infrastructure seamlessly, minimize administration time for network administrators, provide audit control, be scalable as the enterprise grows, and be able to deploy in ‘high availability’ mode. Manuscript received December 18, 2005. A. Basha is a graduate student studying Information Security and Assurance at George Mason University, Fairfax, VA, USA (e-mail: [email protected]). II. OPEN SYSTEMS INTERCONNECTION (OSI) MODEL The OSI reference model was developed by the International Organization for Standardization (ISO). A layered architectural model (Figure 1) provides a common frame of reference for discussing Internet communications. It is used not only to explain communication protocols but to develop them as well. It separates the functions performed by communication protocols into manageable layers stacked on top of each other. Each layer in the stack performs a specific function in the process of communicating over a network. Figure 1: OSI Model Illustrated As the above OSI model indicates, protocols are like a pile of building blocks stacked one upon another. Because of this structure, groups of related protocols are often called stacks or protocol stacks. The network layer is concerned with the exchange of data between an end system and the network to which it is SECE 646 – CRYPTOGRAPHY AND COMPUTER NETWORK SECURITY 2attached. The sending computer must provide the network with the address of the destination computer, so that the network may route the data to the appropriate destination. The specific software used at this layer depends on the type of network to be used; different standards have been developed for circuit switching, packet switching, LANs (Ethernet), etc. If a destination computer is attached to a different network, then IP is used to allow data to traverse multiple interconnected networks. VPNs can use both symmetric and asymmetric cryptography; and asymmetric cryptography is generally used to authenticate the identities of the parties involved, whereas symmetric ciphers are used to encrypt the data due to their greater speed. II. DESCRIPTION OF TECHNOLOGIES A. IPSec IPSec is an Internet Engineering Task Force (IETF) standard (RFCs described below) for real-time communication security. There are many application specific security mechanisms such as Secure Multipurpose Internet Mail Extensions (S/MIME) for email, Kerberos for client/server mode operations, etc. To address the security concerns that cut across protocol layers, implementing security at the IP levels ensures that security can be provided for applications both that are security-conscious and also for those that are security-ignorant. IP level security encompasses three functional areas: authentication, confidentiality, and key management. IPSec provides the capability to secure communications across a Local Area Network (LAN), private and public Wide Area Networks (WAN), and across the Internet. IPSec specification consists of numerous documents. The latest of the issued documents are: – RFC 2401: An overview of security architecture – RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 – RFC 2406: Description of packet encryption extension to IPv4 and IPv6 – RFC 2408: Specification of key management capabilities In addition to these RFCs, there are a number of additional drafts that have been published by the IP Security Protocol Working Group set up by
View Full Document
Unlocking...